Re: [sleuthkit-users] MD5Sum Questnion
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] MD5Sum Questnion
|
From: farmer d. <far...@ya...> - 2006-04-09 18:47:26
|
David, > I'm examining an 80 Gig hard drive. I started with > Knippix 3.6 and took > an initial hash with the drive inside the computer > and md5sum returned: > a4d83bac721f9e9cbef44a0f19c9f1d3 /dev/hda So you dropped in your KNOPPIX CD and made certain no file systems nor swap partitions (if applicable) were mounted or activated, and then you authenticated the physical device "/dev/hda" using 'md5sum' (Just want to make certain.)? > I installed the drive in another machine (Suse 9.3) > for examination and > md5sum returns: > ae319c49dbfc21fd2f392769083bed58 /dev/hdb So you then removed the suspect drive and dropped it into another system and received this hash value above using your Suse 9.3 installation? Again, absolutely certain your Suse didn't mount or activate anything on the suspect drive? > Using knoppix again, I get: > a4d83bac721f9e9cbef44a0f19c9f1d3 /dev/hda > And then you booted your Suse system with your same KNOPPIX CD and received the hash above, yes? Which kernel version for KNOPPIX CD (2.4 or 2.6)? Which kernel version for your Suse installation? You've confirmed these three findings by stepping through the same steps you took at least one more time? You're certain you authenticated the correct device node using your Suse installation? Let us know, until then we can only speculate. Odd size drive, authenticated the wrong device node, etc. regards, farmerdude http://www.forensicbootcd.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
